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SYSTEMS AND METHODS FOR 
AUTHENTICATING A USER TO A WEB SERVER 

Field 

[0001] The present disclosure relates generally to networked computer systems. 
More particularly, the present disclosure relates to user authentication and access to 
one or more web servers. 

Description of Related Art 

[0002] In a typical web-based server application, access to information is 
achieved via a web server, with the application requiring the user to be authenticated 
by, e.g., a user id and/or a password. When a user requests access to information 
controlled by a web server, the web server typically has a login/authentication 
procedure which is independent of previous login/authentication procedures 
encountered by the user. To access the resources, appropriate authentication data 
must be presented to authenticate the user to the web server. This is conventionally 
accomplished by requiring the user to input additional login/authentication 
information specific to the new web server, or by hard-coding a generic login and 
password. 

[0003] Both of these solutions are unsatisfactory. Requiring the user to input 
additional information for each access request places a burden on the user to 
remember multiple logins and passwords and may also be a potential security risk if 
passwords are transmitted unencrypted over the network. Using a generic or static 
login and password in a script is a potential security hole and does not readily provide 
different levels of access based on the identity of the user. 
[0004] One attempt at addressing these issues is found in the new technology 
LAN manager (NTLM) automated authentication system. In the NTLM system 
similar components (the web browser and server) assure one another of the user's 
identity once the user is initially authenticated to a Microsoft network or to a 
Microsoft Windows NT domain (using a password). This assurance occurs 
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[0005] transparently to the user. However, this system does not perform 
authentication to any web server that is not in the NT domain or in a trusted 
relationship with the original domain. Thus, the NTLM authentication system is of 
limited utility. 

[0006] Other conventional systems also provide access to independent network 
resources without prompting the user for authentication data* When these systems 
receive a user request to access an independent network resource, system logon and 
server authentication data is autonomously supplied to the independent network 
resource without further user interaction. However, these systems are not concerned 
with a worldwide web hypertext transfer protocol environment, and are generally not 
concerned with authentication information based on the user's role. These systems 
maintain a password cache in the main memory of a local computer system. The 
password cache contains a server name, user name and password for each server to be 
accessed by a particular user. When presented with an access request, network 
software searches the password cache structure for the server authentication 
information before passing it on to the server to be accessed 
[0007] Other conventional systems restrict a user's access of Internet information 
based on a rating category and/or ID associated with a particular terminal through the 
implementation of a firewall internal to a user's computer network. The firewall 
prevents the user from accessing certain types of Internet information (e.g., prevents 
children from accessing obscene material, prevents workers from accessing non-work 
related material, etc.). These systems are concerned with an internal authorization to 
access remote resources (which are presumed to be public resources), and are not 
concerned with a system in which authentication information is required by remote 
servers, 

[0008] FIG. 1 is a block diagram showing a conventional arrangement of network 
system 10 including a web server 12 in communication with a client 14. The client 14 
executes a web browser 1 6 which provides a user interface (not shown) for accessing 
resources through the web server 12. The web server 12 requires user authentication 
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data to allow access to its resources. The web browser 16 and web server 12 exchange 
communication signals in the HTTP format via communication link 18. 
[0009] As is known in the art, servers have been used for data caching (retaining 
data when it is first fetched in case it is needed again), and as authentication servers 
for incoming traffic at a "firewall" (that is, conventional servers accept or reject user 
authentication). One example of a server is an advertisement filter which resides with 
the browser on the same computer, and which can remove advertisements fi'om web 
pages. 

Summary 

[001 0] The exemplary systems and methods of tiiis disclosure provide a server 
which is independent from other applications, such as a network server, and which 
automatically intercepts authentication requests from web servers which are intended 
s for the browser. The server responds directly to the authentication requests by 
providing authentication data, such as the user's identity and password, transparently 
to the user. The server may interact with the web browser to request the 
authentication data, but preferably, locates the authentication data on the system 
incorporating the browser and/or server. 

[001 1] The authentication scheme according to the exemplary systems and 
methods of this disclosure allow a user to access numerous protected resources with a 
single authentication procedure, greatly improving the user's ease of system use. 
Further, because the server performs authentication on behalf of the user, the user can 
be authenticated to access protected resources using authentication methods that are 
not supported by the browser. 

[0012] These and other features and advantages of this disclosure are described in 
or are apparent from the following detailed description of exemplary embodiments. 
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Brief Description of the Drawings 

[001 3] Exemplary embodiments of the disclosure will be described in detail, with 
reference to the following figures wherein: 

.[0014] Fig. 1 is a block diagram of a conventional network including a web 
browser communicating with a remote web server, 
[001 5] Fig. 2 is a block diagram of a network including a web server in 
communication with a first exemplary embodiment of the disclosure; 
[001 6] Fig. 3 is a flow chart outlining an exemplary method of accessing 
resources via a remote web server from a client in accordance with the disclosure; and 
[0017] Fig. 4 is a block diagram of another network including a web server in 
communication with a second exemplary embodiment of the disclosure which allows 
a proprietary authentication scheme to be used to transfer both user identity and other 
credentials. 

Petard Description 
[001 8] FIG. 2 is a block diagram showing a network 20 including a web server 22 
in communication with an exemplary embodiment of a client 24 according to the 
present disclosure. The client 24 executes a web browser 26 and a server 28. The 
web browser 26 is in communication with the web server 22 via the server 28 through 
communication link 30. 

[0019] The server 28 is a program that provides authentication service to the host 
device or other (client) programs, such as the web browser 26. The server 28 can run, 
waiting for requests to arrive, or the server 28 may be invoked by a higher level 
program or device (such as the web browser). Preferably, the server 28 is located on 
the same device as the web browser 26, so as to be able to readily access the user's 
credentials resident on the client 24. The server 28 is preferably implemented as an 
individual server for an individual browser and/or user. 
[0020] In the exemplary embodiment of FIG. 2, the server 28 receives user 
authentication data from the browser or operating system resources or stored 
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elsewhere, for example on the client 2.4, and automatically and transparently (to die 
user and/or browser) provides this data to the web server 22. It is to be understood 
that the authentication data may be stored anywhere which is accessible by the server 
28. The server 28 intercepts all authentication requests encountered by the client 
device 24 when communicating with a web server 22. For each request, the server 28 
determines whether it is configured to respond to the authentication request; that is, 
whether the server 28 has (e.g., stored within its own resources) or can obtain (e.g. ? 
from the web browser 26 or other resources on the client 24) sufficient authentication 
data to respond directly to the web server 22 requiring authentication. If the server 28 
determines that it is configured to respond to the request, it conducts a hypertext 
transfer protocol (HTTP) authentication exchange (e.g., by saving the original HTTP 
request for authentication and introducing an authorization header with the user's 
credentials to the saved request) with the web server 22 automatically and 
transparently to the web browser 26. If the server 28 is not configured to respond to 
, the request, the request is passed onto the web browser 26, which may instruct the 
user to input data to authenticate the user for access to the resources controlled by the 
web server 22. Should the user wish to access a second remote server (not shown), 
which may be associated with a second remote device or system (not shown), the 
server 28 is capable of intercepting any authentication requests originating from the 
second remote server, and will operate substantially as described above for responding 
to the first authentication request. It will be appreciated that the server 28 is able to 
determine which web server it is interacting with, to provide the correct data. Thus, 
an exemplary authentication method and system according to the present disclosure 
allows a user to be automatically and transparently authenticated to multiple servers 
with a single sign-on procedure. 

[0021] While the first exemplary embodiment illustrated in Fig. 2, shows the web 
browser 26 and the server 28 collocated at the client 24, it is to be appreciated that the 
components of the client 24 maybe located at distant portions of a distributed 
network, such as a local area network, a wide area network, an intranet and/or the 
Internet or the like. Thus, it is to be appreciated that the components of the client 24 
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may be combined into one device or collocated on a particular node of a distributed 
network. As will be appreciated from the following description, and for reasons of 
computational efficiency, the components of the client 24 may be arranged at any 
location within a distributed network without affecting operations of the system. 
[0022] Additionally, while not shown in the figures, it is understood that the client 
24 may also include one or more input devices such as a keyboard, a mouse, speech to 
text converter or the like, display devices such as a computer monitor, a display on a 
PDA or any other device capable of displaying information to one or more users, 
associated controllers and I/O interfaces and storage components. 
[0023] As shown in Fig. 2, the client 24 may be implemented using a 
programmed general purpose computer. However, the client 24 can also be 
implemented using a special purpose computer, a programmed microprocessor or 
microcontroller and any necessary peripheral integrated circuit elements, an ASIC or 
other integrated circuit, a hardwired electronic or logic circuit such as a discrete 
element circuit, a programmable logic device such as a PLD, PLA, FPGA or PAL, or 
the like. In general, any device on which a finite state machine capable of 
implementing the flow chart of Fig. 3 can be used to implement the client 24. 
[0024] While not expressly shown in the figures, the client includes memory 
which is preferably implemented using static or dynamic RAM. However, the 
memory can also be implemented using a floppy disk and disk drive, a writable 
optical disk and disk drive, a hard drive, flash memory or the like. Additionally, it 
should be appreciated that the memory can be either distinct portions of a single 
memory or physically distinct memories. 

[0025] Further, it should be appreciated that the links 18, 30 and 50 can be wired 
or wireless network links. These networks caabe local area networks, wide area 
networks, intranets the Internet or any other distributed processing and storage 
networks as long at the network uses HTTP or other Internet or distributed processing 
protocol. 

[0026] Fig. 3 shows an exemplary control routine for providing access to 
resources controlled by a web server using a server in accordance with the present 
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disclosure. The control routine may operate within another higher level control 
routine. Thus, while the control routine of Fig. 3 ends, it is understood that control 
may be returned to another higher level control routine after that control routine 
finishes. 

[0027] Initially, it is assumed that a web browser has been loaded on the host 
device and that the web browser user has been logged in and initially authenticated to 
establish a user identity with the server. The control routine starts at step SI 00 and 
continues to step S 102. In step SI 02, the control routine receives the access request 
from the web browser and continues to step SI 04. In step S 104, the control routine 
sends the access request to the web server and continues to step S106. In step S106, 
the control routine receives the response from the web server and continues to step 
S108. 

[0028] In step S 1 08, the control routine determines whether the response requests 
v authentication. If; in step SI 08, the control routine determines that the response does 
not request authentication, then the control routine jumps to step SI 18, where control 
returns to the control routine that invoked the control routine of Fig. 3, If, however, in 
step S108, the control routine determines that the response requires authentication, 
then the control routine continues to step SI 10. The request for authentication 
received in step S108, may be in the form of, e.g., one or more WWW-authenticate 
headers) in the HTTP protocol, which permits the server to specify the type or types 
of authentication which can be accepted. 

[0029] In step S 11 0, the control routine searches the client for authenticating 
information and continues on to step SI 12. The authenticating information may be 
stored in a database directly associated with the server or anywhere else as long as it is 
available to the server. In step SI 12, the control routine determines whether the 
authenticating information has been found. If, in step SI 12, the control routine 
determines that the authenticating information has been found, then the control 
routine continues to step S 1 14. If, however, in step S 1 12, the control routine 
determines that the authenticating information was not found on the client, then the 
control routine continues to step S120. In step S120, the control routine requests 
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authenticating information from the web browser and continues to step SI22. If the 
request for authentication was provided as an authentication header in HTTP, then the 
server provides the browser a returned authorization header followed by an 
authentication token appropriate to the authentication method. In step S122, the 
control routine receives authenticating information from the web browser and 
continues to step S U 4. 

[0030] Instep S114, the control routine provides the authenticating information to 
the web server and continues to step SI 16. In step SI 16, the control routine 
deteimines whether access has been granted to the resources by the web server. If, in 
step SI 16, the control routine determines that access has been granted, then the 
control routine continues to step S118. In step Si 18, the control routine returns 
control to the control routine which called the control routine of Fig. 3. If, however, 
in step SI 16, the control routine deteimines that access has not been granted, then the 
control routine continues to step S124. In step S124, the control routine generates an 
error message and continues to step Si 18. 

[0031] It will be appreciated that the principles of the present disclosure are 
readily adaptable to many types of authentication schemes. For example, rather than a 
general authentication scheme (access attempt, denial with request for authentication 
information, and new access attempt with authentication information), some types of 
authentication may require additional steps. One example of such an authentication 
protocol is a challenge-response authentication (such as the previously described 
NTLM technique), in which the remote web server denies an initial request for access 
and requests authentication, and also denies a further request for access including, 
e.g., a network identity, and issues a challenge. The party requesting access responds 
to the challenge, without transmitting a true authentication token (such as a password) 
over the network, by providing some indication that the requesting party knows a 
secret shared with the server. For example, this might involve the server returning the 
challenge in an encrypted form, where the method of encryption indicates the 
requesting party's knowledge of the shared secret. In other words, the requesting 
party responds by demonstrating that it knows the password without identifying the 
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password. This exemplary embodiment of this disclosure can be implemented with 
this type of authentication scheme, by having the server intercept and respond on 
behalf of the browser. This aspect of the disclosure allows, for example, a user of a 
non-NTLM browser to authenticate itself to a NTLM server transparently to the user, 
and without modifications to the browser. 

[0032] Fig. 4 shows a network 40 with another exemplary embodiment of the 
client 44 in accordance with the present disclosure which allows a proprietary 
authentication scheme to be used to transfer both user identity and other credentials 
such as the user's role to the web server 42. The web server 42 includes a filter 52 or 
other suitable plug-in which is in communication with the server 48. An example of 
such a filter is an ISAPI "filter" plug-in used by Microsoft. When the filter 52 detects 
an access denial by the web server 42, the filter 52 adds a header specifying the 
proprietary authentication scheme name to the set of headers sent back to the client 44 
, by the web server 42. As described above, the server 48 intercepts these headers on 
behalf of the web browser 46, and determines whether a proprietary authentication 
scheme is necessary to access the desired resources. If the proprietary authentication 
header is present, the server 48 responds to this header rather than the other 
authentication headers. To respond to the proprietary authentication header, the server 
4S extracts the user's token/credential (which, according to one exemplary 
embodiment of the disclosure, includes at least the role and identity of the user), 
reformats the token for transmission in the HTTP protocol, and transmits the 
reformatted token to the web server 42 in an authorization header. The filter 52 then 
accepts the authorization header as authentication for the proprietary service, and also 
assigns the user a local web-server identity from a set of identities known to the 
server. The local identity can be unique or a duplicate identity shared by one or more 
other users. 

[0033] Thus, it can be seen from the foregoing description' that the authentication 
method and system of the present disclosure achieves numerous advantages. For 
example, the user can access multiple remote web servers without having to provide 
authentication information for each remote server access. Further, it should be 
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appreciated that because the server performs authentication on behalf of the user, the 
user can be authenticated to access protected resources using types of authentication 
methods not known to the browser. Thus, the present disclosure allows the user to be 
authenticated to a web server using a protocol (e.g., Microsoft NTLM, or a proprietary 
authentication protocol) with a browser that does not support this protocol (e.g., 
Netscape Navigator). This advantage can be achieved without structural 
modifications to the browser. Numerous other advantages will be readily apparent to 
those of ordinary skill in the art. 

[0034] While the above disclosure describes the operation of the server as one of 
"intercepting" the authentication request from the remote server, it is to be understood 
that the definition of the term "intercept" as used in this disclosure is intended to 
include other methods, such as filtering and monitoring the communications between 
the remote server and the browser. The only limitation to be placed upon the 
definition of the term "intercept" as used in this disclosure is such that enables the 
server to automatically respond to requests for authentication data from a remote 
server without passing such request along to the browser if the authentication data is 
available to the server without prompting for such information from the browser if 
possible. Additionally, the term is intended to include the function of receiving a 
request for authentication data from the remote server and passing and/or generating a 
request for authentication data along to the browser after the server has determined 
that the authentication data is not otherwise available. 

[0035] While this disclosure has been described in conjunction with the specific 
embodiments outlined above, it is evident that many alternatives, modifications and 
variations are apparent to those skilled in the art. Accordingly, the preferred 
embodiments of the disclosure as set forth above are intended to be illustrative and 
not limiting. Various changes may be made without departing from the spirit and 
scope of the disclosure. 
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WHAT IS CLAIMED IS: 

1 . A method for providing browser access to network resources protected 
by a web server, the method comprising: 

requesting access by a browser to resources protected by a web server; 

intercepting a request for authentication data from the web server to the 
browser at a server located on the same device as the browser; 

determining whether the device has the requested authentication data; and 

providing the authentication data from the server to the web server if the 
device has the requested authentication data. 

2. The method of claim I, wherein the server provides the authentication 
data by formatting a response according to a hypertext transfer protocol. 

3. The method of claim 1 , wherein the authentication data includes a role 
of a user of the browser. 

4. The method of claim 3, wherein the authentication data further 
includes user identification information. 

5. The method of claim 1, wherein the request for authentication data 
includes a hypertext transfer protocol authentication header. 

6. The method of claim 5, wherein the step of providing the 
authentication data includes providing a hypertext transfer protocol authorization 
header. 

7. The method of claim 1, further comprising: 

detecting an access denial issued by the server in response to an access 
request; 

providing a supplemental authentication header to, the server; 
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detecting the supplemental authentication header; and 

responding to the supplemental authentication header by extracting the 

authentication data, and forwarding the authentication data to the server in an 

authentication header. 

8. The method of claim I, further comprising: 

requesting access by the browser to resources protected by a second web 

server, 

intercepting a request for authentication data from the second web server to the 
browser at the server; 

determining whether the device has the authentication data for the second web 
server, and 

providing the authentication data from the server to the second web server if 
the device has the requested authentication data. 

9. The method of claim 1 , further comprising: 

requesting the authentication data from the browser if the device does not 
include the authentication data; 

receiving the authentication data from a user through a web browser interface; 
providing the authentication data from the web browser to the server; and 
providing the authentication data from the server to the web server. 

10. The method of claim 1, wherein the request for authentication data 
includes a challenge to the request for access and wherein the providing of the 
authentication data in response to the challenge includes returning the challenge in an 
encrypted form, wherein the encrypted form indicates a shared secret. 

1 1 . The method of claim 10, wherein the web browser is a non-NTLM 
browser and the web server is a NTLM server. 
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12. A system for providing access to resources through a web server, the 
system comprising: 

a web browser adapted to receive a user request for access to a resource via 
the web server; and 

a server adapted to pass the user request to the web server, to automatically 
intercept a request for authentication data from the web server to the web browser, to 
retrieve the authentication, and to provide the retrieved authentication data to the web 
server. 

1 3. The system of claim 12, further comprising memory storing the 
authentication data, 

14. The system of claim 12, wherein the server is further adapted to 

- provide authentication data in response to a supplemental authentication header from 
a filter for the web server. 

1 5. The system of claim 12, wherein the server is further adapted to 
request the authentication data from the web browser if the server cannot retrieve the 
authentication data, and wherein the web browser is adapted to request authentication 
data from a user, and to provide the user entered authentication data to the server. 

1 6. The system of claim 1 2, wherein the server is further adapted to 
provide the authentication data by formatting a response according to a hypertext 
transfer protocol. 

17. The system of claim 12, wherein the authentication data includes a role 
of a user of the browser. 

1 8. The system of claim 12, wherein the authentication data includes user 
identification information. 
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19. The system of claim 12, wherein the request for authentication data 
includes a hypertext transfer protocol authentication header. 

20. The system of claim 19, wherein the server is further adapted to 
provide the authentication data in a hypertext transfer protocol authorization header. 

21. The system of claim 12, wherein the server is further adapted to detect 
a supplemental authentication header and to respond to the supplemental 
authentication header by extracting the authentication data and forwarding the 
authentication data to the server in an authentication header. 

22. The system of claim 12, wherein the request for authentication data 
includes a challenge to the request for access and wherein the server is adapted to 
provide the authentication data in response to the challenge by returning the challenge 
in an encrypted form, wherein the encrypted form indicates a shared secret. 

23. The system of claim 12, wherein the web browser is a non-NTLM 
browser and the web server is a NTLM server. 

24. A system for providing browser access to network resources protected 
by a web server, the system comprising: 

means for requesting access by a browser to resources protected by a web 

server; 

means for intercepting a request for authentication data from the web server to 
the browser at a server located on the same device as the browser, 

means for determining whether the device has the requested authentication 
data; and 

means for providing the authentication data from the server to the web server 
if the device has the requested authentication data. 
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25. The system of claim 24, wherein the server provides the authentication 
data by formatting a response according to a hypertext transfer protocol. 

26. The system of claim 24 t wherein the authentication data includes a role 
of a user of the browser. 

27. The system of claim 26, wherein the authentication data further 
includes user identification information. 

28. The system of claim 24, wherein the request for authentication data 
includes a hypertext transfer protocol authentication header. 

29. The system of claim 28, wherein the means for providing the 
authentication data includes means for providing a hypertext transfer protocol 
authorization header. 

30. The system of claim 24, further comprising: 

means for detecting an access denial issued by the server in response to an 
access request; 

means for providing a supplemental authentication header to the server; 

means for detecting the supplemental authentication header; and 

means for responding to the supplemental authentication header by extracting 

the authentication data, and forwarding the authentication data to the server in an 

authentication header. 

3 1 . The system of claim 24, further comprising: 

means for requesting access by the browser to resources protected by a second 
web server; 
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means for intercepting a request for authentication data from the second web 
server to the browser at the server, 

means for determining whether the device has the authentication data for the 

second web server; and 

means for providing the authentication data from the server to the second web 
server if the device has the requested authentication data, 

32. The system of claim 24, further comprising: 

means for requesting the authentication data from the browser if the device 
does not include the authentication data; 

means for receiving the authentication data from a user through a web browser 

interface; 

means for providing the authentication data from the web browser to the 
server; and 

means for providing the authentication data from the server to the web server. 

33 . The system of claim 24, wherein the request for authentication data 
includes a challenge to the request for access and wherein the means for providing of 
the authentication data in response to the challenge includes means for returning the 
challenge in an encrypted form, wherein the encrypted form indicates a shared secret. 

34. The system of claim 33, wherein the web browser is a non-NTLM 
browser and the web server is a NTLM server. 

35. An information storage media comprising: 

information that requests access by a browser to resources protected by a web 

server; 

information that intercepts a request for authentication data from the web 
server to the browser at a server located on the same device as the browser; 
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information that determines whether the requested authentication data is 
available; and 

information that provides the authentication data from the server to the web 
server if the requested authentication data is available. 

36. The information storage media of claim 35, wherein the information 
which provides the authentication data further comprises information that formats a 
response according to a hypertext transfer protocol. 

37. The information storage media of claim 35, wherein the authentication 
data includes a role of a user of the browser. 

38. The information storage media of claim 37, wherein the authentication 
data further includes user identification information. 

39. The information storage media of claim 35, wherein the request for 
authentication data includes a hypertext transfer protocol authentication header. 

40. The information storage media of claim 39, wherein the information 
that provides the authentication data further comprises information that provides a 
hypertext transfer protocol authorization header. 

41 . The information storage media of claim 35, further comprising: 
information that detects an access denial issued by the server in response to an 

. access request; 

information that provides a supplemental authentication header to the server; 
information that detects the supplemental authentication header; and 
information that responds to the supplemental authentication header by 

extracting the authentication data, and forwards the authentication data to the server in 

an authentication header. 
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42. The information storage media of claim 3 5, further comprising: 
information that requests access by the browser to resources protected by a 

second web server, 

information that intercepts a request for authentication data from the second 
web server to the browser at the server, 

information that determines whether the device has the authentication data for 

the second web server, and 

information that provides the authentication data from the server to the second 
web server if the device has the requested authentication data. 

43. The information storage media of claim 35, further comprising: 
information that request the authentication data from the browser if the device 

does not include the authentication data; 

information that receives the authentication data from a user through a web 
browser interface; 

information that provides the authentication data from the web browser to the 
server; and 

information that provides the authentication data from the server to the web * 

server. 

44. The information storage media of claim 35, wherein the request for 
authentication data includes a challenge to the request for access and wherein the 
information that provides the authentication data in response to the challenge further 
includes information that returns the challenge in an encrypted form, wherein the 
encrypted form indicates a shared secret. 

45 . The information storage media of claim 44, wherein the web browser is 
a non-NTLM browser and the web server is a NTLM server. 



WO 02/12987 



1/2 



PCT/USO 1/24206 



Prior Art 

'~ L ~ 



Web ^ 

Browser 



Client 



Webserver 



FIG. 1 



•2-1" ^3-^ 



2o 



Web Browser 



Proxy Server 



Client 



20 



z z 



Web Server 



IS 



FIG. 2 



Web Browser 



i 



Proxy Server 



Client 



to 




r2. 



FIG. 4 



.V 



WO 1)2/12987 



2/2 



PCT/USO 1/24206 



^ Stat ^ " 



Receive access request 



I 



Send access request 



I 



Receive response 



No 




if 04* 
<5 \0l* 



S 10? 



FIG. 3 



Search for authenticating information 



J 117- 




su-o 



No 

> ► 


Request authenticating 




information 



Provide authenticating information 




I 



Receive and save 
authenticating 
information 



^2 



Generate Error message 



